Companies looking to stay profitable have to deal with a new hurdle thanks to GDPR meaning data breaches will be even more costly. A hacker can compromise a business system, steal customer data, encrypt the computers and ask for a big ransom before the data is restored. Quite often, after the data is restored, the hackers can reinfect the systems and ask for even more money.
The next phase of the breach is figuring out what was compromised which means calling in experts. These cybersecurity professionals are in short supply which means costs escalate quickly.
Then there is customer and partner notification which could mean a major lost of trust and future business. Competitors can use a breach against your organization meaning further loss of clients. Then there are costs related to lawsuits – fines from credit card companies, costs associated with credit monitoring you may need to provide to customers and myriad regulatory fines such as those from HIPAA and FINRA.
As a result of a breach, cybersecurity insurance rates quickly skyrocket.
In short, you spend a tremendous amount of money, business is disrupted for days, weeks or even months and investigations and lawsuits can go on for years.
The situation has gotten more expensive thanks to GDPR. This new EU law applies to all companies that have data from people who live in the European Union.
It is designed to punish companies who do not secure customer data.GDPR is not even a year old and so far almost 59,000 data breaches have been reported.
The Netherlands, Germany and the UK lead the rankings with roughly 15,400, 12,600, and 10,600 reported breaches respectively, as detailed in a report published by the DLA Piper global law firm, while companies from Liechtenstein, Iceland, and Cyprus reported 5, 25 and 35 breaches respectively.
While a European Commission Statement issued on January 25 stated that companies reported 41,502 data breaches since the GDPR enactment, these results were "based only on the voluntary contributions of 21 (out of 28 EU Member States) data protection regulators" says DLA Piper.
Based on the law firm's "research covering 23 of the 28 EU Member States, together with figures for Norway, Iceland and Lichtenstein (the three additional European Economic Area Member States), we calculate that there have been 59,430 reported data breaches over the same period across Europe."
Fines are already rolling out in the tens of millions of euros in aggregate. As of this writing, one euro is worth one U.S. dollar and fourteen cents.
Some of the fines are for things which could happen to any company such as not hashing passwords and publishing health information on the internet.
The weakest link in any company’s cybersecurity is workers who accidentally click on an email or a social media message. Even the best-designed networks can be breached in this manner. We suggest every company use a phishing simulation tool which tests employees. One alternative, Phish360 is so effective, it has achieved almost 100% click rate when used in various organizations.
The good news is the workers who click can be quickly trained on what to avoid in the future.
Here are other areas all organizations looking to promote a cybersecurity culture need to focus on:
1.Cybersecurity training must be done regularly.
2.Auditing and documentation must be performed regularly to ensure systems are secure.
3.Anomaly detection should be running constantly to detect threats as they emerge.
4.Penetration testing shows if systems can easily be reached from the outside. Here is a case where this test might have saved two company’s’ reputations from being destroyed.
5.Network forensics for when a breach eventually occurs. The bad guys always seem to get in eventually.
6.An action plan to follow when a breach does occur. Once it happens, few will have the clear heads needed to “wing it” correctly. Equifax botched it’s response in what is being called a PR catastrophe.
7.To ensure your organization is safe – even if you have internal IT, hire an experienced MSP or MSSP like Apex Technology Services.
It’s a dangerous world. Every company must be proactive to stay secure.